App Node — OVA Appliance
The App Node ships as an .ova virtual-machine image with the full Logster
application stack pre-installed: Ubuntu Server 22.04, Docker, all container
images, the model checkpoints, and the configuration that wires everything
together. Nothing is downloaded at first boot.
This page takes you from importing the .ova to a running stack with live
endpoints reporting in.
[!NOTE] Set up the GPU Node first. You need its endpoint URL in Step 2 below.
Hardware
| Resource | Recommended | Minimum |
|---|---|---|
| CPU | 12 vCPU | 8 vCPU |
| RAM | 64 GB | 24 GB |
| Disk | 300 GB NVMe SSD | 300 GB NVMe SSD |
Step 0 — Import the OVA
Import the shipped .ova into your hypervisor (VMware, VirtualBox, Proxmox,
etc.) using its standard "Import Appliance / Import OVF" workflow. Allocate at
least the resources in the table above, then power on the VM.
Log in at the console with the default credentials:
Step 1 — Rotate the default password
Change the default password immediately:
Step 2 — Configure the required settings
Logster needs two values before it can start. Copy the example file and edit it:
sudo cp /etc/logster/logster.env.example /etc/logster/logster.env
sudo nano /etc/logster/logster.env
Set these two values:
| Setting | What to put |
|---|---|
LOCAL_LLM_ENDPOINT |
The GPU Node's Chat Completions URL, e.g. http://<gpu-node-ip>:8000/v1/chat/completions. This is the endpoint you noted in GPU Node → Step 5. |
EXTERNAL_KAFKA_LAN_HOST |
The host or IP your endpoints will use to reach this appliance. Endpoints connect to <this-value>:29092. Set it to the App Node's LAN address. |
[!IMPORTANT] If
LOCAL_LLM_ENDPOINTdoes not point at a reachable model server, the stack still runs but every window is reported as benign. Make sure the GPU Node is up and reachable from the App Node before starting.
Step 3 — Install your license
Logster is licensed and will not start without a valid signed license file. Obtain your license from Eunomatix and install it:
[!NOTE] The stack refuses to start until both the license file exists and
logster.envfrom Step 2 is filled in. If the license is missing, invalid, or expired, the stack stays down.
Step 4 — Start the stack
Follow the startup logs:
First start takes roughly 3–5 minutes while internal services warm up.
Step 5 — Open the interfaces
Find the appliance's IP address with ip addr, then open these URLs from a
browser that can reach it:
| Interface | URL | Credentials |
|---|---|---|
| Dashboard | http://<vm-ip>:5001 |
None |
| REST API | http://<vm-ip>:8080 |
None |
| Kibana | http://<vm-ip>:5601 |
None |
| Grafana | http://<vm-ip>:3001 |
admin / logster |
| Prometheus | http://<vm-ip>:9090 |
None |
Step 6 — Point your endpoints at the appliance
Endpoints publish raw logs to the appliance's Kafka listener, which advertises
whatever you set as EXTERNAL_KAFKA_LAN_HOST in Step 2:
Topic layout:
| Topic | Source |
|---|---|
sysmon-logs |
Windows Sysmon |
How the advertised address works
<EXTERNAL_KAFKA_LAN_HOST>:29092 is a bootstrap address only. When an
endpoint connects to it, the broker does not begin streaming; it returns the
advertised address that the client must reconnect to, and that address is
<EXTERNAL_KAFKA_LAN_HOST>:29092 exactly as configured. The value therefore
defines not only where the appliance listens, but the address the broker
instructs every endpoint to use.
[!IMPORTANT]
EXTERNAL_KAFKA_LAN_HOSTmust be reachable and resolvable from the endpoints, not merely from the appliance. If an endpoint can open:29092to the bootstrap address but the broker returns a name or IP the endpoint cannot route to, the initial connection succeeds and then stalls or fails on the reconnect. This is the most common cause of an endpoint where Sysmon is running but no data reaches the dashboard.
Reaching the appliance by hostname (FQDN)
An IP address is not required. If endpoints reach the appliance by name — a DNS
record, an internal FQDN, a VPN name, or a hosts entry — set
EXTERNAL_KAFKA_LAN_HOST to that exact name:
Point the endpoint's bootstrap configuration at the same name:
Because the name is what the broker advertises, every endpoint must be able to resolve it — through working DNS.
[!NOTE]
EXTERNAL_KAFKA_LAN_HOSTaccepts a single value; Kafka advertises exactly one host:port on this listener. If endpoints reach the appliance by different addresses on different networks, use a name that resolves correctly for all of them (split-horizon DNS), or advertise an additional listener as described below.
Advertising an additional listener (advanced)
A single value covers the common case in which all endpoints reach the
appliance over one LAN address. If the broker must advertise on more than one
address simultaneously — for example, one network reaching it by LAN IP and
another by a VPN/Tailscale name — this exceeds the scope of the logster.env
setting and requires editing the Kafka service in
/opt/logster/deploy/docker-compose.yml. For each additional listener:
- Add a uniquely named listener to
KAFKA_LISTENERSon a new port (e.g.EXTERNAL_VPN://:29095). - Add the matching advertised entry to
KAFKA_ADVERTISED_LISTENERS(e.g.EXTERNAL_VPN://<vpn-name>:29095). - Map its security protocol in
KAFKA_LISTENER_SECURITY_PROTOCOL_MAP(e.g.EXTERNAL_VPN:PLAINTEXT). - Publish the new port under the kafka service's
ports:.
Each advertised entry must still be reachable and resolvable from the endpoints that use it; the requirement above applies to every listener individually. Point each group of endpoints at the bootstrap address for its respective listener. Restart the stack after editing the compose file.
[!WARNING] The shipped OVA exposes only the single external LAN listener on
29092(the host-only listener is removed during the appliance build). Editing the compose file is an advanced, unsupported customization. Retain a backup of the original file and expect to re-apply the changes after an appliance update.
Applying a change
If you change EXTERNAL_KAFKA_LAN_HOST (or edit the compose file) later,
restart the stack so Kafka re-reads its configuration:
Connecting a Windows endpoint
To monitor a Windows machine, install two components on it:
- Sysmon — the collector. It records detailed process, network, and file activity to the Windows event log.
- Winlogbeat — the shipper. It reads Sysmon's events and forwards them to the appliance's Kafka listener.
Install them in that order: Winlogbeat reads the
Microsoft-Windows-Sysmon/Operational channel, which does not exist until
Sysmon is installed.
Run all of the commands below in an Administrator PowerShell session on the endpoint.
Step 1 — Install Sysmon (the collector)
Download Sysmon from Microsoft Sysinternals and extract it:
cd C:\
Invoke-WebRequest -Uri "https://download.sysinternals.com/files/Sysmon.zip" -OutFile Sysmon.zip
Expand-Archive -Path Sysmon.zip -DestinationPath "C:\Program Files\Sysmon"
Add the configuration. Sysmon does almost nothing useful without one — the configuration decides which events are recorded and which noise is filtered out. Logster ships a ready-to-use baseline on the Sysmon Configuration page.
Open that page, copy the full configuration, and save it on the endpoint as:
(for example, open Notepad as Administrator, paste, and save with that exact path).
[!NOTE] The configuration requires Sysmon 13 or newer (the
Sysmon.zipdownload above is always the latest version, so this is satisfied automatically).
Install Sysmon with the configuration:
Verify the service is running:
It should report Running. Sysmon now starts automatically on every boot.
[!TIP] To apply an updated configuration later — without reinstalling — use:
Step 2 — Install and configure Winlogbeat (the shipper)
Download Winlogbeat
cd C:\
Invoke-WebRequest -Uri "https://artifacts.elastic.co/downloads/beats/winlogbeat/winlogbeat-8.17.0-windows-x86_64.zip" -OutFile winlogbeat.zip
Expand-Archive -Path winlogbeat.zip -DestinationPath "C:\Program Files"
Rename-Item "C:\Program Files\winlogbeat-8.17.0-windows-x86_64" "C:\Program Files\Winlogbeat"
Configure Winlogbeat
Edit C:\Program Files\Winlogbeat\winlogbeat.yml. Replace the Kafka hosts
value with your appliance's EXTERNAL_KAFKA_LAN_HOST:
# ======================== Winlogbeat Configuration ============================
winlogbeat.event_logs:
- name: Microsoft-Windows-Sysmon/Operational
processors:
- add_fields:
target: host
fields:
name: ${COMPUTERNAME}
# ======================== Processors ==========================================
processors:
- add_host_metadata:
when.not.contains.tags: forwarded
- add_fields:
target: ''
fields:
host.hostname: ${COMPUTERNAME}
# ======================== Outputs =============================================
# Disable Elasticsearch output
output.elasticsearch:
enabled: false
# Enable Kafka output
output.kafka:
enabled: true
hosts: ["192.168.10.30:29092"] # <-- set to <EXTERNAL_KAFKA_LAN_HOST>:29092
topic: "sysmon-logs"
partition.round_robin:
reachable_only: true
required_acks: 1
compression: gzip
codec.json:
pretty: false
escape_html: false
# ======================== Logging =============================================
logging.level: info
logging.to_files: true
logging.files:
path: C:\Program Files\Winlogbeat\logs
name: winlogbeat
keepfiles: 7
permissions: 0640
Install and start the service
cd "C:\Program Files\Winlogbeat"
powershell -ExecutionPolicy Bypass -File .\install-service-winlogbeat.ps1
Start-Service winlogbeat
Get-Service winlogbeat
Get-Service winlogbeat should report Running. Within a minute or two the
endpoint appears on the Logster Dashboard (http://<vm-ip>:5001).
Troubleshooting
Stack won't start:
sudo systemctl status logster.service
sudo docker compose -f /opt/logster/deploy/docker-compose.yml ps
sudo docker compose -f /opt/logster/deploy/docker-compose.yml logs --tail 100
The two most common causes are a missing/invalid license
(Step 3) or an unfilled logster.env
(Step 2).
Reset to a clean state (wipes all data):
sudo systemctl stop logster.service
cd /opt/logster/deploy && sudo docker compose --profile services down -v
sudo systemctl start logster.service
Endpoint not appearing on the dashboard:
- Confirm Sysmon is running on the endpoint and writing to its
Microsoft-Windows-Sysmon/Operationallog. - Confirm the endpoint can reach
<EXTERNAL_KAFKA_LAN_HOST>:29092(check firewalls between the endpoint and the appliance). - Check the Winlogbeat logs at
C:\Program Files\Winlogbeat\logsfor output errors.